[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-gawk] Question regarding security of gawk CGI scripts
|
From: |
taltman |
|
Subject: |
[bug-gawk] Question regarding security of gawk CGI scripts |
|
Date: |
Wed, 11 Jun 2014 13:23:40 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I have a question regarding gawk which is not a bug to report. I don't
know of an email list, newsgroup, etc. that is more appropriate for
posting such questions, so please forgive me if I am in error.
In the GAWK manual, there's the following discussion of CGI security:
"This option is particularly necessary for World Wide Web CGI
applications that pass arguments through the URL; using this option
prevents a malicious (or other) user from passing in options,
assignments, or awk source code (via --source) to the CGI application."
I am confused about how a remote malicious user would be able to
manipulate the command line used to execute the gawk CGI program. GET
method variables are passed via environment variables, and POST method
variables are passed via STDIN. Is there some other way that
The only scenario that makes sense to me would be: a malicious user on
the same system
which hosts the CGI script tries to invoke the script, and passes in
extra command-line arguments. Is that what is meant?
I am writing a CGI script using gawk, and I want to make sure that I
fully understand this security concern, and the associated threat model.
Thanks in advance, and my apologies again if this question is
inappropriate for this list.
Regards,
~Tomer Altman
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJTmLrKAAoJEMAutzpeVLZSU/IP/08tfbEIJ/NqgT6TSCqWPc+V
mG4IYrg3TeYP0grD+MqmALjthjksRPu6pO03eFIjwx/SLYRjtUpmjHf11br6GfPi
ID1Zf4wRMdXnq0egY2jaVMjBGmd1nhiVgCL4gBggcLA2znXd29WRPM5rs06TJiXz
kaxnpnGCpuMQ9D25Z5nys5IISUQshoUBsgtTxet/h7Hm3K4xrqLBuIQjUSOGpSy8
9lLMaceuJwxbKALK44Pz59EiJ0qdwTcJGGLOOkIuk3qOIv/arYxCM5wQH6J7IxZy
0zEQdbBomJ/ibpRxGGaah1q5VdVJLpPido+i5V6Ls+4jKt+LeM4ZTr16WvYawAuz
FJccaKYIGIS+fg056DyPysMFb8Znpie35WVQsb8nTIF9rQlUr5/7HsjOtTmlrO/q
2R6EZTIk9YVft3SGvB2vr/j3UyiyEaLTqY8ugtzjoV+GPZWN74hd/8ydRmRBosrj
wnwKpHJKFeDravNmSZE3lN2VHjX9c80G3RUSc5ISNvip1/GcKcofHidNuJiL6GdU
kZkmjFXo7SY/8adAikAmQUYulWApR8B/p69RUNfxOx8QHN2ipbBWqbGHdlWd3ylI
W13bUUtb7TSKKNe6u6+Azzx4ntbhFiHXhYLyKxhBzJIPWurqwVwjb1WajbIAjpSH
W8NEmC9qd0+hI1XTRdW0
=S9GP
-----END PGP SIGNATURE-----
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug-gawk] Question regarding security of gawk CGI scripts,
taltman <=